goto allowed;
}
+ /*
+ * The SID list needs to include itself as well as the tokenGroups.
+ *
+ * TODO determine if sIDHistory is required for this check
+ */
+ werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0],
+ mem_ctx, "tokenGroups",
+ &num_token_sids,
+ &token_sids,
+ object_sid, 1);
+ if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
+ goto denied;
+ }
+
/* but it isn't allowed to get anyone elses krbtgt secrets */
if (samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
obj_res->msgs[0], "msDS-KrbTgtLinkBL", NULL)) {
goto denied;
}
- /*
- * The SID list needs to include itself as well as the tokenGroups.
- *
- * TODO determine if sIDHistory is required for this check
- */
- werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0],
- mem_ctx, "tokenGroups",
- &num_token_sids,
- &token_sids,
- object_sid, 1);
- if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
- goto denied;
- }
-
if (never_reveal_sids &&
sid_list_match(num_token_sids,
token_sids,
goto denied;
}
+ /*
+ * The SID list needs to include itself as well as the tokenGroups.
+ *
+ * TODO determine if sIDHistory is required for this check
+ */
+ werr = samdb_result_sid_array_ndr(sam_ctx, obj_res->msgs[0],
+ mem_ctx, "tokenGroups",
+ &num_token_sids,
+ &token_sids,
+ object_sid, 1);
+ if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
+ goto denied;
+ }
+
werr = samdb_result_sid_array_dn(sam_ctx, rodc_res->msgs[0],
mem_ctx, "msDS-NeverRevealGroup",
&num_never_reveal_sids,
goto denied;
}
- /*
- * The SID list needs to include itself as well as the tokenGroups.
- *
- * TODO determine if sIDHistory is required for this check
- */
- werr = samdb_result_sid_array_ndr(sam_ctx, obj_res->msgs[0],
- mem_ctx, "tokenGroups",
- &num_token_sids,
- &token_sids,
- object_sid, 1);
- if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
- goto denied;
- }
-
if (never_reveal_sids &&
sid_list_match(num_token_sids,
token_sids,